An critical 66th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a remote code execution (RCE) vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).

The five font-themed flaws attracted warnings from experts, including Dustin Childs of vulnerability research company Zero Day Initiative:

Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers.

A final interesting flaw is CVE-2018-0850, rated “Important” and affecting Microsoft Outlook.

Reported by US CERT CC’s Will Dormann way back in November 2016, the update patches this but not entirely, he said:

This update prevents automatic retrieval of remote OLE objects in Microsoft Outlook when rich text email messages are previewed. If a user clicks on an SMB link, however, this behavior will still cause a password hash to be leaked.

For Windows 10 users, this works in tandem with a Microsoft update (look for “April 2018 Windows OS updates”), installed in conjunction with each PC manufacturer’s BIOS updates. Linux mitigations were released earlier in 2018.